NpgsqlRest

Appearance

Comments
Written with Claude
IMPORTANT

As you may notice, this page and pretty much the entire website were obviously created with the help of AI. I wonder how you could tell? Was it a big "Written With Claude" badge on every page? I moved it to the top now (with the help of AI of course) to make it even more obvious. There are a few blogposts that were written by me manually, the old-fashioned way, I hope there will be more in the future, and those have a similar "Human Written" badge. This project (not the website), on the other hand, is a very, very different story. It took me more than two years of painstaking and unpaid work in my own free time. A story that, hopefully, I will tell someday. But meanwhile, what would you like me to do? To create a complex documentation website with a bunch of highly technical articles with the help of AI and fake it, to give you an illusion that I also did that manually? Like the half of itnernet is doing at this point? How does that makes any sense? Is that even fair to you? Or maybe to create this website manually, the old-fashioned way, just for you? While working a paid job for a salary, most of you wouldn't even get up in the morning. Would you like me to sing you a song while we're at it? For your personal entertainment? Seriously, get a grip. Do you find this information less valuable because of the way this website was created? I give my best to fix it to keep the information as accurate as possible, and I think it is very accurate at this point. If you find some mistakes, inaccurancies or problems, there is a comment section at the bottom of every page, which I also made with the help of the AI. And I woould very much appreciate if you leave your feedback there. Look, I'm just a guy who likes SQL, that's all. If you don't approve of how this website was constructed and the use of AI tools, I suggest closing this page and never wever coming back. And good riddance. And I would ban your access if I could know how. Thank you for your attention to this matter.

Forwarded Headers

New in 3.6.0

Forwarded Headers middleware was added in version 3.6.0.

Support for processing proxy headers when running behind a reverse proxy (nginx, Apache, Azure App Service, AWS ALB, Cloudflare, etc.). This is critical for getting the correct client IP address and protocol.

Overview

json
{
  "ForwardedHeaders": {
    "Enabled": false,
    "ForwardLimit": 1,
    "KnownProxies": [],
    "KnownNetworks": [],
    "AllowedHosts": []
  }
}

Settings Reference

SettingTypeDefaultDescription
EnabledboolfalseEnable forwarded headers middleware. Must be placed FIRST in the middleware pipeline.
ForwardLimitint1Limits the number of proxy entries that will be processed from X-Forwarded-For. Set to null to process all entries (not recommended).
KnownProxiesarray[]List of IP addresses of known proxies to accept forwarded headers from.
KnownNetworksarray[]List of CIDR network ranges of known proxies.
AllowedHostsarray[]List of allowed values for the X-Forwarded-Host header.

Why Forwarded Headers Matter

When your application runs behind a reverse proxy, the proxy intercepts all incoming requests. Without forwarded headers:

  • Client IP: Your application sees the proxy's IP instead of the real client IP
  • Protocol: Your application sees HTTP even if the client connected via HTTPS
  • Host: Your application sees the proxy's internal hostname instead of the public domain

This affects:

  • Rate limiting (you'd limit the proxy, not individual clients)
  • Logging and analytics (wrong IPs in logs)
  • HTTPS redirects (infinite redirect loops)
  • Cookie security (secure cookies fail on perceived HTTP)

Processed Headers

HeaderPurpose
X-Forwarded-ForGets real client IP instead of proxy IP
X-Forwarded-ProtoGets original protocol (http/https)
X-Forwarded-HostGets original host header

Forward Limit

Limits how many proxy entries are processed from the X-Forwarded-For header chain.

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 1
  }
}

If you have a chain of proxies (e.g., CDN → Load Balancer → Application), increase this value:

json
{
  "ForwardedHeaders": {
    "ForwardLimit": 2
  }
}

WARNING

Setting ForwardLimit to null processes all entries, which can be a security risk as attackers can inject fake X-Forwarded-For entries.

Known Proxies

Specify exact IP addresses of trusted proxies:

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "KnownProxies": ["10.0.0.1", "192.168.1.1"]
  }
}

Forwarded headers are only accepted from these IP addresses.

Known Networks

Specify CIDR network ranges when proxy IPs are dynamically assigned:

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "KnownNetworks": ["10.0.0.0/8", "192.168.0.0/16", "172.16.0.0/12"]
  }
}

This example trusts all private network ranges (common for cloud deployments).

TIP

If both KnownProxies and KnownNetworks are empty, forwarded headers are accepted from any source. This is less secure but may be necessary in some environments.

Allowed Hosts

Restrict which host headers are accepted to prevent host header injection attacks:

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "AllowedHosts": ["example.com", "www.example.com", "api.example.com"]
  }
}

If empty, any host is allowed.

Example Configurations

Behind nginx

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 1,
    "KnownProxies": ["127.0.0.1"],
    "AllowedHosts": ["myapp.com", "www.myapp.com"]
  }
}

nginx configuration:

nginx
location / {
    proxy_pass http://localhost:8080;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-Forwarded-Host $host;
}

AWS ALB / ELB

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 1,
    "KnownNetworks": ["10.0.0.0/8", "172.16.0.0/12"]
  }
}

AWS load balancers automatically set forwarded headers. Trust the VPC network range.

Azure App Service

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 2
  }
}

Azure App Service sits behind multiple proxies. Empty KnownProxies/KnownNetworks allows headers from Azure's infrastructure.

Cloudflare + Origin Server

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 2,
    "KnownNetworks": [
      "173.245.48.0/20",
      "103.21.244.0/22",
      "103.22.200.0/22",
      "103.31.4.0/22",
      "141.101.64.0/18",
      "108.162.192.0/18",
      "190.93.240.0/20",
      "188.114.96.0/20",
      "197.234.240.0/22",
      "198.41.128.0/17",
      "162.158.0.0/15",
      "104.16.0.0/13",
      "104.24.0.0/14",
      "172.64.0.0/13",
      "131.0.72.0/22"
    ]
  }
}

TIP

Cloudflare publishes their IP ranges at https://www.cloudflare.com/ips/. Keep this list updated.

Docker/Kubernetes with Internal Load Balancer

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 1,
    "KnownNetworks": ["10.0.0.0/8"]
  }
}

Trust the container network range.

Development (Trust All)

json
{
  "ForwardedHeaders": {
    "Enabled": true,
    "ForwardLimit": 1
  }
}

DANGER

Do not use empty KnownProxies/KnownNetworks in production without understanding the security implications. Malicious clients can spoof forwarded headers.

Security Considerations

  1. Only enable behind trusted proxies: Forwarded headers can be spoofed by clients if not properly validated.

  2. Limit forward depth: Use ForwardLimit to prevent clients from injecting fake proxy chains.

  3. Specify known proxies: Use KnownProxies or KnownNetworks to only accept headers from trusted sources.

  4. Validate hosts: Use AllowedHosts to prevent host header injection attacks.

Next Steps

Comments

Released under the MIT License.

Copyright © 2024-2026 VB Consulting